IdentityServer4.Admin icon indicating copy to clipboard operation
IdentityServer4.Admin copied to clipboard
verified publisher icon skoruba

Consider adding user invitation into Admin Panel

Open xmichaelx opened this issue 6 years ago • 8 comments

Admin enters only user email. This creates blank user account with only email filled in and sends invitation link (much like password reset link) to entered email.

Upon logging via given link user can register but with email field unchangeable. This would go well with setups where registration is not open for everyone.

xmichaelx avatar Feb 18 '19 09:02 xmichaelx

@skoruba

I need this and am willing to work towards making it happen. Perhaps it can be introduced passively via a button on the admin? This would also allow other account details to be set up in advance by an admin, such as roles, and could even serve as a "password reset" initiated from the admin?

User Story: As an admin over a private identity server without public registration, I would like to register users with a temporary password and allow the user to receive notification of their new account and establish their password initiated by a system generated e-mail, so that I can set up accounts on a private system without having to "swivel chair" the process manually.

Details: So, the ability for users to register themselves is appropriate for public systems, but on private systems the admin workflow is a bit clunky unless I'm missing something. Right now if I disable the registration features, my only option for introducing users into the system is to create them manually, set a default password manually and manually communicate to them their account details and hope they change the password.

I would like to automate the "temporary password", and communication to the user via a system generate e-mail.

Proposal: From the admin, perhaps a button could be placed strategically for an admin to "Send Registration" (or perhaps there is a better phrase). That an admin can click which will establish a system generated temporary password, and generate an e-mail with instructions to the user to login and set their own password up. It would be even more useful if the user could be presented with a "set new password", and alternatively establish two factor auth at first login etc..

Is there a better workflow already in the system that I wasn't able to find? I'd be willing to do the work with your input on how you would like this to be accomplished if you are willing.

joshua-p-williams avatar Feb 05 '20 07:02 joshua-p-williams

Just some thoughts:

I would create a new table to store this temporary information (including the temporary "password".. I'd probably call it a PIN). If the invited user clicks the registration link in the email, you'd allow the user to register. That way you don't have to create a user that only has an email address.

Related to that: Is there a way for the system to send an email to administrators whenever someone registers?

alexdresko avatar Feb 05 '20 18:02 alexdresko

I'm taking a stab at it. See the fork off of this projects dev branch at (https://github.com/NephosIntegration/IdentityServer4.Admin/tree/InviteUser).

From the user profile page under admin, I've added a new "dark" button between "Audit Log" and "Change Password" labled "Invite User".

The best solution as I'm seeing it, is if you "Invite the user", it should generate a password reset token (similiar to the identity login's "forgot password"), send an e-mail to the user with a link to a page similar to the "password reset" page within the identity server, with further options to allow them to immediately start updating their profile and perform other task such as setting up two factor etc..

The biggest problem is, there is some code that seems it should be "Shared" between the Admin project and the "STS.Identity" project related to adding the "email functionality", but there isn't a common library for it.

Was considering the "Skoruba.IdentityServer4.Admin.BusinessLogic.Shared" project, but refactoring the messaging (smtp / sendgrid), would require including a couple dependencies that would also get pulled into the other project. It's just a couple small sections that would require "copy / paste" if you wanted to go that route instead of sharing them.. But I'm not a fan of "copy / paste" and would opt to have a common library between the two projects. Don't feel like I can make that decision without input from @skoruba

Anyhow, I'm going to continue to get it functional in my own fork (as I need it), and will be happy to discuss the architecture / organization of it and refactor accordingly if it would be useful here too.

joshua-p-williams avatar Feb 06 '20 07:02 joshua-p-williams

@jwilliamsnephos - thanks for your work on this issue, I will check your fork. You are right, I am considering create new project for shared parts of whole solution: #413 - if you want to help me with this shared project, it would be perfect - but I would like to create separate PR for shared stuff and invitation functionality as well. What do you think?

skoruba avatar Feb 06 '20 07:02 skoruba

Oh, my branch is not really ready for a review yet.. Just putting it out there that I'm willing and wanting to work on it.. :)

Yes, I would love to help with "shared parts". And agree they are separate issues with separate branches. I'll take a look at the other ticket you referenced when I get off of work tonight.

joshua-p-williams avatar Feb 06 '20 17:02 joshua-p-williams

Decided to keep working on this until I hear back on https://github.com/skoruba/IdentityServer4.Admin/issues/413

The process I'm coming up with is.. Upon user invite, it creates an "invitation_token" claim on the user and sends them an e-mail, directing them to "Finish the registration" process. On the STS Identity, there is a new page the "RegisterByInvitation". A user is valid to "complete registration" if they confirm the e-mail, have a valid invitation_token, and it matches the user id. Completing the registration simply involves "typing in their e-mail", and supplying a password.

They are now in the system.

joshua-p-williams avatar Feb 09 '20 06:02 joshua-p-williams

I pushed my branch into an environment and it was shown to some users.. They liked it.. So I'm ready to incorporate this into your project if you are willing and want too (see https://github.com/NephosIntegration/IdentityServer4.Admin/tree/InviteUser).

So here are the steps.

  1. Administrator creates user with as much or as little detail as they desire.
  2. Administrator clicks the "Invite User"
  • An invitation_token claim is created for the user with a unique GUID
  • An e-mail is sent to the user (from the admin project)
  1. User receives an e-mail welcoming them and inviting them to finish the registration where they are directed to a new route ( /Account/RegisterByInvitation ) on the STS Identity project.
  2. The user verifies their e-mail address and enters a password to use with their account
  • This is only accepted if the user has not set a password yet (meaning they haven't already registered), and the e-mail address matches the account with a valid invitation_token claim sent with the request of this route. Otherwise they are redirected to the standard registration (which is disabled in my scenario so they receive the standard "registration is disabled" message).
  1. User registration is now complete, and the invitation_token claim is removed and standard operating procedures continue as normal.

Let me know if you want to do a code review and I'll be happy to create a PR or refactor as you see fit. I did incorporate the translations, and am ready to help move the "shared" code into a common library. The shared code in this case is the ability for e-mails to be sent from the Admin project (which does not currently exists).

joshua-p-williams avatar Feb 11 '20 02:02 joshua-p-williams

What's happening with this feature?

carlblanchard avatar May 05 '22 17:05 carlblanchard